Reflected XSS vulnerability in OPAC browse results

Earlier this month we received a warning that our demo installation (which was on 3.11.1 back then) had the following vulnarability. A couple of days later, we upgraded to 3.13.0 but it seems that the vulnarability has not been resolved by the upgrade. Anyway, per https://evergreen-ils.org/egdownloads/ even 3.11.1 is still one of the supported versions, so it is most likely an issue worth looking into.

> ---- Předaná zpráva od "UT Information Security Office"
> <email address hidden> ---
> Od: "UT Information Security Office" <email address hidden>
> Komu: <email address hidden>
> Předmět: [cuni #10874] [ISOTicket:4759825] UT/ISO -- Verified Vulnerable
> Web Page [195.113.63.104 - cuni.cz]
> Datum: 10/06/2024 12:28:09
>
> =========================================================
> The following alert is the product of the Dorkbot service
> created by UT Austin.
> =========================================================
>
> The Information Security Office at the University of Texas at Austin
> has found the following web page to be vulnerable to a high-risk application
> attack:
>
> HOST: 195.113.63.104 [evergreendemo.jabok.cuni.cz.]
> HOST: N/A
> DATE: 2024-06-10 00:29:25 CST/CDT
>
> GET:
> https://evergreendemo.jabok.cuni.cz/eg/opac/browse?long_facet=identifiergen[..] <https://evergreendemo.jabok.cuni.cz/eg/opac/browse?long_facet=identifiergenre%3Bqtype%3Dauthor%3Bquery%3DKurovsk%C3%A1+Lenka%3Bfacet%3Didentifier%7Cgenre%5Bpublikace+pro+d%C4%9Bti%5D%3Bpane%3Dadvanced&blimit=%22%3E%3Cscript%3Ealert%28150%29%3C%2Fscript%3E&bterm=1&qtype=title&locg=1&search-submit-go=1>
>
> ATTACK DETAILS:
> This page is vulnerable to Cross-site scripting attacks.
>
> Cross-site scripting attacks, in general, are an issue because
> they are enabling attacks. Specially-crafted malicious URLs can
> steal authentication tokens/cookies when a logged-in user visits them,
> giving the attacker full access to that user's account in the application.
> Reflected XSS attacks, in particular, are a concern as they can be used to
> socially engineer a user into clicking on what appears to be a
> legitimate URL.
>
> ** Please note that the Dorkbot service will re-check this page in the next
> 30-days to help verify remediation for you. **
>
> Please also consider the following:
>
> - Web application security testing should be performed regularly,
>    especially for any public web applications. This includes
>    tracking application inventory, general code review and vulnerability
>    assessments using web application security testing tools.
>
> - All input received by the web server should be checked before
>    it is processed. The best method is to remove all unwanted input and
>    accept only expected input. For example, ensure angle brackets are
>    not allowed in any input to any Web page fields. Additionally, no
>    syntactic input should be allowed. Syntactic input can come from
>    databases, other servers, etc. All input into a Web application must
>    be filtered to ensure the delivery of clean content to individuals using
>    your service.
>
> - Other References:
>
>    OWASP Top 10 Proactive Controls
> https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Main
>
>    OWASP Guide to Building Secure Web Applications and Web Services
> https://www.owasp.org/index.php/Category:OWASP_Guide_Project
>
> Please let us know if you believe any of this information to be inaccurate
> so that we can be of better service in the future.
>
> We hope this information is helpful.
>
> Information Security Office
> The University of Texas at Austin
> <email address hidden>
> http://security.utexas.edu
> =======================================